Mobile Malware Defense

and possibly Anti-Forensics

Sheran A. Gunasekera <sheran@zenconsult.net>

IDSECCONF 2013, Surabaya, Indonesia1

Digital forensics - Analyzing & gathering evidence of incidents occurring on a digital device

Malware - Malicious software designed to disrupt or collect sensitive information from digital devices

2

In 2011, we saw unprecedented growth of mobile malware attacks with a 155 percent increase across all platforms. -- Daniel Hoffman (Juniper)

Malware

3

DetectionSignature based?

Unique characteristics

No signature, no detection

4

In 2012, 45 percent of the AV signatures failed to detect malware that used such basic transformation techniques -- Dark Reading Article [April 2013]

ACME Malware Detector

Malware Signatures

5

PWN3DAssume you’ve been infected

Helps you stay paranoid

6

ActorsYou

Your Mobile Device

The guy spying on you

7

Inbound & outbound email

Inbound & outbound SMS/MMS

Phone Call Logs

BBM Messages

Contact information

How does it work?

8

Crippling Malware

Relies on ex!ltrated data

Expects data to be accurate

But what if the data wasn’t accurate...?

9

Techniques

DDTS - Don’t Drop The Soap *

POEPFlood - Phony Object Escalation Process

FML - Flush My Log *

* Can be used for Anti-forensics

10

DDTS

Possible use for Anti-Forensics

Works on USB trigger

Use IOPortListener or USBPortListener

Trigger on event connectionRequested()

11

USB Connection •Flood Email•Flood SMS•Flood Contact•Flush Log

12

Hooking emailEmail Messages

Package: net.rim.blackberry.api.mail.event

Interface: FolderListener

Methods: messagesAdded()

- Intercept and forward all emails on the BlackBerry handheld

13

Listener

14

Listener

Flooder

15

16

Hooking Call Logs

17

Hooking Call Logs

18

Contact Flooder

Contact 1Contact 2Contact 3Contact 4

19

A note about keywordsFake email only as good as keywords

Build an algorithm to mine existing keywords

Think like the person that spies on you

If they search for “bank”,”password”,”pin”...

20

Log Files

Event LogLog Entry 1

Log Entry 2

Log Entry3

Log Entry n-2

Log Entry n-1

Log Entry n

...

16Kb Log Size

New entries written to the bottom

Old entries are ejected

21

FML

Event LogLog Entry 1

Crap

Crap

Crap

Crap

Crap

...

16Kb Log Size

FMLog attackwrites

fake data

Valid Entries are deleted

22

FML

BlackBerry Log Size - 16kb

Android LogCat size - 64kb

23

Why?

24

Why?

Unorthodox

Good wing-man for conventional

Frustrates the guy spying on you

25

Recap

• Assume you’re pwn3d

• Introduce controlled “noise” in your data

• Make it harder for the guy spying on us

• Sit back and laugh

26

Thanks

sheran@zenconsult.net

http://chirashi.zensay.com

@chopstick_

27